by Tom Cross - Director of Security Research at Lancope - Tuesday, 29 October 2013.

The command and control ports used by 2 million malware samples.

Malware authors seem to prefer to use low port numbers, whereas legitimate software often uses higher ports. In general, popular malware command and control ports were clustered below port 10,000, whereas the density of ports below 10,000 used on the legitimate network was relatively low. The difference is particularly clear for ports below 1024, which is known as the “well known port” range in Internet standards. Our malware samples used 866 “well known” TCP ports, but the legitimate traffic only used 166. On the UDP side, 1018 “well know ports” were used by malware, but only 19 were used on the legitimate network. This suggests that use of unusual ports below 1024 is a behavioral anomaly that might be worth investigating – it could indicate a malware infection.

Ports used by a small office network over the course of a month.

A similar observation can be made about the use of the so called “ephemeral port range”. TCP and UDP ports above 49,151 are supposed to be dynamically assigned for use by legitimate software applications. This would suggest that they are used transiently. However, many of these ports were used for command and control communications by malware in our sample set. Command and control communications tend to involve consistent communication over the same port. Consistent use of a port above 49,151 is another indicator that could be indicative of a malware infection.

One of the strangest features of the malware command and control image that we generated is a set of three diagonal lines of popular ports that stretch through the image. These lines start at port 0, port 36, and port 45, and in all three cases represent sequences of every 257th port from the starting point. We isolated the exclusive use of UDP ports fitting this sequence down to 14 specific malware samples. Due to the unique nature of the pattern of port utilization by these samples, it seems likely that they are all related to each other, in spite of the fact that they communicate with 6 different domain names that have been hosted in 8 different countries, all over the world. It is possible that the same botnet operator is responsible for propagating all of these samples.

While there is no end in sight to the debate between advocates of Artificial Intelligence and Human Computer Interaction, it is clear that visualizations of computer network activity can lead to interesting insights for network security professionals. The researchers participating in VizSec are helping to advance the state of the art in this area, and the research they are doing has important applications in the fight against sophisticated computer network attacks.

Spotlight

Microsoft Edge, the new browser in Windows 10, represents a significant increase in the security over Internet Explorer. However, there are also new potential threat vectors that aren’t present in older versions.

35 percent of employees would sell information on company patents, financial records and customer credit card details if the price was right. This illustrates the growing importance for organizations to deploy data loss prevention strategies.

Sun Tzu's writings have been studied throughout the ages by professional militaries and can used to not only answer the question of whether or not we are in a cyberwar, but how one can fight a cyber-battle.

Infosec consultant Paul Moore came up with a working solution to thwart a type of behavioral profiling. The result is a Chrome extension called Keyboard Privacy, which prevents profiling of users by the way they type by randomizing the rate at which characters reach the DOM.